Hi, I found out that resolving of DNSSEC signed wildcard domains does not work correctly with dnsmasq. I think the problem is that it looks for a signature of the requested domain name and not the wildcard.
The following fails: $ dig issues.pangaea.de ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> issues.pangaea.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59252 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;issues.pangaea.de. IN A ;; Query time: 18 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Jan 04 15:43:42 CET 2016 ;; MSG SIZE rcvd: 46 The reason is: "issues.pangaea.de" is covered by a star domain "*.pangaea.de" that is correctly signed (tested from another server - not using dnsmasq): $ dig +dnssec *.pangaea.de ; <<>> DiG 9.8.1-P1 <<>> +dnssec '*.pangaea.de' ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8436 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;*.pangaea.de. IN A ;; ANSWER SECTION: *.pangaea.de. 28790 IN A 134.1.2.171 *.pangaea.de. 28790 IN RRSIG A 7 2 28800 20160109144508 20151226151023 12714 pangaea.de. jwQUt4OJRlBEE3PUF6cEWJA6gOLWPpBWYbJHLIkR4tdGJh/kmtOk7T9Q MlSbChj51bhkV6oCQ++OhrsogYJ9qFpcVz8kVlEEfs08/Z1kNBe/dg3m HaAiyVVwONdyfe6dSfcYR3ZrH1PBWuxHDdbO8zGI8xGThSuZiIi1WEFC L64= ;; AUTHORITY SECTION: pangaea.de. 28790 IN NS ns2.domaindiscount24.net. pangaea.de. 28790 IN NS ns3.domaindiscount24.net. pangaea.de. 28790 IN NS ns1.domaindiscount24.net. pangaea.de. 28790 IN RRSIG NS 7 2 28800 20160109071640 20151226151023 12714 pangaea.de. l7sVnSXwN21lXvsANvjVxGyeh3c3rxlmg3ctfAShdvZpS/otk7L/HN8p O3sSJ83HFfl7QAmfoF/P3cy2yilmykJv3von/ojzXVeS3tpTAUzfALql maoKds12FcjyLVJDgEzi0xKG/DTmm2KG1bZHzXPzMVb4beZnzFN5twLK W+g= ;; Query time: 0 msec ;; SERVER: 85.25.128.10#53(85.25.128.10) ;; WHEN: Mon Jan 4 14:42:43 2016 ;; MSG SIZE rcvd: 471 How should this be solved? This is another one where dnssec fails, so clearly a bug. There is a test page about exactly that case, which fails for me when resolving through dnsmasq: http://0skar.cz/dns/en/ Uwe ----- Uwe Schindler H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de eMail: u...@thetaphi.de _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss